1. In a security heterogenic computer network supporting different security 
descriptor specifications, the computer network having one or more devices that use a first 
security descriptor that follows a first security descriptor specification to describe security 
permissions related to a particular object, the compu/er network also having one or more 
devices that use a second security descriptor that/ follows a second security descriptor 
specification to describe security permissions related to that same particular object, a 
method of replicating in a non-degenerative fashion the first security descriptor with the 
second security descriptor specification, the method facilitating the synchronization of the 
first and second security descriptor specifications so that both security specifications may 
be used in the computer network, the method comprising the following: 

a step for converting the/ first security descriptor that follows the first 
security descriptor specification /into a version of the first security descriptor that 
follows the second security descriptor specification; 

a step for comparing trie version of the first security descriptor that follows 
the second security descriptor specification with the second security descriptor that 
also follows the second security descriptor specification; and 

an act of changing the second security descriptor to reflect at least some of 
the changes represented In the version of the first security descriptor. 

2. A method in accordance with Claim 1, wherein the first security descriptor 
specification is the 4.0 specification. 

3. A method/ in accordance with Claim 2, wherein the second security 
descriptor specification is the Active Directory specification. 
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4. A method in accordance with Claim 1, wherein the first security descriptor 
specification is the Active Directory specification. / 

5. A method in accordance with Cmm 4, wherein the second security 
descriptor specification is the 4.0 specification. / 

6. A method in accordance with Claim 1, wherein the step for converting the 
first security descriptor that follows the first security descriptor specification into a version 
of the first security descriptor that follows Ahe second security descriptor specification 
comprises the following: / 

an act of consulting mapping rules that define mappings of rights of the first 
security descriptor specification / to rights of the second security descriptor 
specification; / 

for each right for which/there is a corresponding mapping rule, converting 
the right that follows the first security descriptor specification to a corresponding 
right that follows the second security descriptor specification; and 

an act of assembling each corresponding right that follows the second 
security descriptor specification to form a version of the first security descriptor 
that follows the second security descriptor specification. 

7. A method in accordance with Claim 1, wherein the step for comparing the 
version of the first security /descriptor that follows the second security descriptor 
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specification with the second security descriptor pat also follows the second security 

descriptor specification comprises the following: 

for each right for which there is/a corresponding mapping rule, an act of 
comparing the right in the version of me first security descriptor that follows the 
second security descriptor specification to the right in the second security 
descriptor; and 

based on the act of comp|bring, an act of detecting changes in the first 
security descriptor that are not reflected in the second security descriptor. 
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8. In a security heterogenic computer network supporting different security 
descriptor specifications, the computer network havingyone or more devices that use a first 
security descriptor that follows a first security descriptor specification to describe security 
permissions related to a particular object, the computer network also having one or more 
devices that use a second security descriptor thaft follows a second security descriptor 
specification to describe security permissions plated to that same particular object, a 
method of replicating in a non-degenerative fashion the first security descriptor with the 
second security descriptor specification, the method facilitating the synchronization of the 
first and second security descriptor specifications so that both security specifications may 
be used in the computer network, the metlfod comprising the following: 

an act of consulting mapping rules that define mappings of rights of the first 

security descriptor specification to rights of the second security descriptor 

specification; / 

for each right for which there is a corresponding mapping rule, converting 

the right that follows the first security descriptor specification to a corresponding 

right that follows the second security descriptor specification; 

an act of a/sembling each corresponding right that follows the second 

security descripto/ specification to form a version of the first security descriptor 

that follows the second security descriptor specification; 

for eami right for which there is a corresponding mapping rule, an act of 

comparing me right in the version of the first security descriptor that follows the 

second security descriptor specification to the right in the second security 

descriptor; 
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based on the act of comparing, an act of detecting changes in the first 
security descriptor that are not reflected in the second security descriptor; and 

an act of changing the second security descriptor to reflect the detected 
changes in the first security descriptor. / 

9. A method in accordance witly Claim 8, wherein the first security descriptor 
specification is the 4.0 specification. / 

10. A method in accordance with Claim 9, wherein the second security 
descriptor specification is the Active Directory specification. 

11. A method in accordance with Claim 8, wherein the first security descriptor 
specification is the Active Directory specification. 

12. A method in accordance with Claim 11, wherein the second security 
descriptor specification is the/4. 0 specification. 
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13. A computer program product for use in a security heterogenic computer 
network supporting different security descriptor /specifications, the computer network 
having one or more devices that use a first security descriptor that follows a first security 
descriptor specification to describe security permissions related to a particular object, the 
computer network also having one or more devices that use a second security descriptor 
that follows a second security descriptor specification to describe security permissions 
related to that same particular object, the cfomputer program product for implementing a 
method of replicating in a non-degenerative fashion the first security descriptor with the 
second security descriptor specification, the method facilitating the synchronization of the 
first and second security descriptor specifications so that both security specifications may 
be used in the computer network, tha computer program product comprising a computer- 
readable medium having computer-executable instructions for performing the following: 

a step for converting the first security descriptor that follows the first 
security descriptor specification into a version of the first security descriptor that 
follows the second secunty descriptor specification; 

a step for comparing the version of the first security descriptor that follows 
the second security descriptor specification with the second security descriptor that 
also follows the second security descriptor specification; and 

an act of changing the second security descriptor to reflect at least some of 
the changes represented in the version of the first security descriptor. 

14. A computer program product in accordance with Claim 13, wherein the first 
security descriptor specification is the 4.0 specification. 
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15. A computer program product in accordance with Claim 14, wherein the 
second security descriptor specification is the Active Directory specification. 

16. A computer program product in accordance with Claim 14, wherein the first 
security descriptor specification is the Active Directory specification. 

17. A computer program product in accordance with Claim 16, wherein the 
second security descriptor specification is the 4.0 specification. 

18. A computer program pj/oduct in accordance with Claim 13, wherein the 
computer-executable instructions for yperforming the step for converting the first security 
descriptor that follows the first security descriptor specification into a version of the first 
security descriptor that follows me second security descriptor specification comprise 
computer-executable instructions/for performing the following: 

an act of consulting mapping rules that define mappings of rights of the first 
security descriptor specification to rights of the second security descriptor 
specification; / 

for each rigMt for which there is a corresponding mapping rule, converting 
the right that folldws the first security descriptor specification to a corresponding 
right that follows Ahe second security descriptor specification; and 

an act of assembling each corresponding right that follows the second 
security descriptor specification to form a version of the first security descriptor 
that follows the second security descriptor specification. 
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19. A computer program product in accordance with Claim 13, wherein the 
computer-executable instructions for performing Ahe step for comparing the version of the 
first security descriptor that follows the second security descriptor specification with the 
second security descriptor that also follows /the second security descriptor specification 
comprise computer-executable instructions ior performing the following: 

for each right for which mere is a corresponding mapping rule, an act of 

comparing the right in the version of the first security descriptor that follows the 

second security descriptor specification to the right in the second security 

descriptor; and / 

based on the act of comparing, an act of detecting changes in the first 

security descriptor that are not reflected in the second security descriptor. 
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20. A computer program product for use in a security heterogenic computer 
network supporting different security descriptor specifications, the computer network 
having one or more devices that use a first security descriptor that follows a first security 
descriptor specification to describe security permissions related to a particular object, the 
computer network also having one or more devices that use a second security descriptor 
that follows a second security descriptor specification to describe security permissions 
related to that same particular object, a computer program product for implementing a 
method of replicating in a non-degeneraiive fashion the first security descriptor with the 
second security descriptor specification./ the method facilitating the synchronization of the 
first and second security descriptor specifications so that both security specifications may 
be used in the computer network, the computer program product comprising a computer- 
readable medium having computer-executable instructions for performing the following: 

an act of consulting mapping rules that define mappings of rights of the first 

security descriptor specification to rights of the second security descriptor 

specification; 

for each right for which there is a corresponding mapping rule, converting 
the right that follows tne first security descriptor specification to a corresponding 
right that follows the second security descriptor specification; 

an act of assembling each corresponding right that follows the second 
security descriptor specification to form a version of the first security descriptor 
that follows the second security descriptor specification; 

for each right for which there is a corresponding mapping rule, an act of 
comparing the right in the version of the first security descriptor that follows the 
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second security descriptor specification I to the right in the second security 
descriptor; / 

based on the act of comparing,/an act of detecting changes in the first 
security descriptor that are not reflected An the second security descriptor; and 

an act of changing the secona security descriptor to reflect the detected 
changes in the first security descriptor 

21 . A computer program product in accordance with Claim 20, wherein the first 
security descriptor specification is the 4.0/specification. 

22. A computer program product in accordance with Claim 21, wherein the 
second security descriptor specification is the Active Directory specification. 

23. A computer program product in accordance with Claim 20, wherein the first 
security descriptor specification is the Active Directory specification. 

24. A computer program product in accordance with Claim 23, wherein the 
second security descriptor specification is the 4.0 specification. 
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a processing device; and / 

a combination of one or mom computer-readable media which in 
combination have stored thereon the following: 

a first data structure that/ represents a first security descriptor that 
follows a first security descriptor specification and that represents an object; 

a second data structure /that represents a second security descriptor 
that follows a second security descriptor specification and that also 
represents the object; / 

a third data structure /that represent mapping rules that correlate sets 
of one or more rights of th© first security descriptor specification which sets 
of one or more rights of the second security descriptor specification; and 

computer-executaple instruction that, when executed by the 
processor, perform the following: 

a step for converting the first security descriptor that follows 

the first security descriptor specification into a version of the first 

security descriptor that follows the second security descriptor 

specification; / 

a step for comparing the version of the first security 
descriptor that follows the second security descriptor specification 
with the second security descriptor that also follows the second 
security descriptor specification; and 
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an act of changing thp^econd security descriptor to reflect at 
least some of the ch^Kfges represented in the version of the first 
security descriptc 
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26. A computer-readable medium having stored thereon the following: 

a first data structure that represents a first security descriptor that follows a 

first security descriptor specification andrthat represents an object; 

a second data structure that Represents a second security descriptor that 

follows a second security descriptor specification and that also represents the 

object; 

a third data structure thatf represent mapping rules that correlate sets of one 
or more rights of the first security descriptor specification which sets of one or 
more rights of the second security descriptor specification; and 

a fourth data structure that represents a version of the first security 
descriptor that follows ther second security descriptor specification. 
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